If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

IDS Design

Dear all,

I've been a member and viewer of Antionline for sometime now but until this point have not been inclined to participate (other than the obligatory 'Hi everyone I'm a new member' post) because 1 - I didn't really work in IT Security and 2 - Whenever someone asks a question they receive top drawer ‘articles’ (!) masquerading as fixes, advice and security mantras from the plethora of expert forum members. I just read the replies with my jaw wide open.

Didn’t know whether to put this in the newbie or IDS forum but as I’m not entirely a newbie to security thought I would go for this one.

The main reason I use the site & forum is to try and educate myself a little, an instructor on a Cisco PIX course pointed me to the site last year. Since then I've started the CCSP certification track and have passed the PIX and Secur exams.

Anyway, my situation has recently changed a little and I am due to start a new position in my company's security practice which I am absolutely thrilled about. Well pleased anyway….

I start in March and my only brief to this point is that I will be involved in IDS Design and Firewall Design. I was wondering if any of you guys or ladies could give me some advice on any preparation work I could do so I have a chance of hitting the ground running or at the very least limping. I don't have any IDS experience to date but during the last month (since I knew I had secured the role) I've gone through some of the Cisco IDS CCSP training guides to familiarise myself with that product. I've also got a couple of books on Snort and plan to install this myself on a lab at home to mess around with it and get used to this offering.

I'm also aware that some of the networks that are currently supported by the organisation use the ISS RealSecure product so any advice on where I could learn about this would be appreciated.

I’ve also gone through some Ethical Hacking computer based training which was absolutely fascinating and I would recommend to anyone working in security because looking at it from the other side of the firewall really opens your eyes and to quite honest is kind of ….sexy….. Sort of makes me feel like I’m a law abiding cop trying to keep out the underworld full of Russian hacking teams and International terrorists!

I have more experience with Firewalls although I would still greatly appreciate any advice on the design aspect of these in a security solution. Until now I've been more of a support type person so now I'm getting the opportunity to move into design I want to cover all angles so any advice from the esteemed members of this forum would be gratefully received!

So in short… Can anyone give me some advice on IDS Design and on Firewall design? Please?

Unless your company is involved in the development of IDS' for sale why would you go about reinventing a wheel that is pretty much round already?

Read the Snort source code.... It's out there for all to see.... That will give you some great insight into the design of an IDS.

Reading the IPTables/Chains source code would do similar for firewalls.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Ok... I think I see it now.... You are looking at it from an infrastructure POV rather than designing the IDS itself, right?

I would take a womble through http://rr.sans.org in the IDS section. IIRC there are some nice papers on IDS infrastructure there. You might also look at http://www.snort.org since I believe they have some papers there on this too.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

As far as firewalls go, my suggestion would be to find out what is in use now and what services are needed, then deny all as default, only allow what is necessary. That sounds easy, but the later is not so. Could be near impossible depending on what is in use now and how it is implemented.

( I think it prudent to mention here, I think of firewalls as a second, third, or even fourth line of defense, and I am a proponent of firewalls. I know you've heard this before, but shutting down unnecessary services on each box, proper ACL's, proper AUPs, appropriate patching in a timely fashion, etc. are priorities. )

If I can suggest a book that will serve as both a great tutorial and reference, try:
Network Intrusion Detection (3rd Edition) by Stephen Northcutt, Judy Novak
*Have it sitting on my desk- very handy*

Becoming familiar with Snort will definately help understand why the various alerts trigger.

As for Cisco IDS, snort won't entirely help you out there... as their signatures I believe are proprietary.... spanning back from when they originally were NetRanger. But saying as how majority of the other IDS's on the market are based off snort... it will certainly help you.

I prefer the Cisco IDS sensors. I realize this may not be economically feasible for your clients. Especially if they are going with the newer versions of firmware (5.x) and are using IPS functionality. Licensing costs get rediculous. Not to mention, the sensors themselves aren't cheap. Regardless, they are easy to manage, and provide a lot of information regarding the alerts...even packet captures.
The following guide provides you with virtually everything you need to know for setting up cisco IDS sensors (4.x) and how to configure them:Cisco Intrusion Detection System Appliance and Module Installation and Configuration Guide Version 4.1

Position of the IDS Sensor is important. When monitoring IDS systems, it can be slightly overwhelming if the sensor is positioned on an external/public interface.. you get to see all the nasty stuff floating about the internet banging on your door. Putting the IDS on the inside right behind the firewall will cut out a lot of the bogus alerts reported and will hopefully display more relevant results happening on the LAN.

Tiger Shark made a GREAT recommendation and that was for the Sans Reading Room... lots of good info there.

The info I have written above probably is a bit vague... Feel free to PM me if you want some more info (resources, good/bad experiences, techniques, or anything else that may help you). I don't want to bore everyone in the forum with some of that stuff